Re: Password Manager opinions and recommendations
On Sun 25 Mar 2018 at 14:06:53 -0400, Roberto C. Sánchez wrote:
> On Sun, Mar 25, 2018 at 06:48:15PM +0100, Brian wrote:
> > On Sun 25 Mar 2018 at 11:52:13 -0400, firstname.lastname@example.org wrote:
> > The PIN for my credit card has only four digits.
> > > * I don't change the passwords as often as I should
> > There isn't and never has been a need to do this. Passwords don't
> > deteriorate with age.
> I disagree. Forced password changes are annoying and counterproductive,
Those two attributes may be a consequence of forced password changes but
are not sufficient to advocate or not advocate such a strategey.
> but there is an argument to be made for users periodically changing
> their passwords. The Yahoo! data breach, for example, did not become
> publically known until long after the breach. Even then, the scope
> continued to expand as additional related breaches were discovered that
> had taken place even earlier.
1 day after the breach your data had been compromised. Changing your
password 10 days later on in your 1 month cycle doesn't seem to me to
be reactive security. Better than nothing, I suppose, but closing the
door after etc.
In any case, your 20 character, high entropy password was your ultimate
defence. (Not unless Yahoo! didn't hash).
> There are some sites which force me to change my password periodically
> and find them annoying because the passwords do not protect anything
> important enough to warrant that. On the other hand, there are some
> sites where I regularly change my password to guard against a hacker
> gaining continuing access to my account/data following a breach.
If I had so little confidence in the password hashing procedures at the
site I might do the same. My problem would then come down to predicting
when a likely breach would occur.
> While you are right that passwords do not deteriorate, they do get
> compromised. The last few years have shown that it happens with rather
> shocking regularity.
> Roberto C. Sánchez